Hi all,
I am doing some tests filtering alerts using community_id field between Suricata and Zeek NIDS (Zeek release is 3.0.5). But I am seeing inconsistencies.
An example. This alert: ET POLICY curl User-Agent Outbound.
Zeek’s conn.log:
{“_node_name”:“worker-2”,“ts”:“2020-03-06T11:59:50.180917Z”,“uid”:“C8T8ce1oTnt3ln5723”,“id.orig_h”:“172.22.59.4”,“id.orig_p”:54692,“id.resp_h”:“149.28.239.174”,“id.resp_p”:80,“proto”:“tcp”,“service”:“http”,“duration”:0.44036006927490234,“orig_bytes”:121,“resp_bytes”:21647,“conn_state”:“SF”,“local_orig”:true,“local_resp”:false,“missed_bytes”:0,“history”:“ShADadFf”,“orig_pkts”:21,“orig_ip_bytes”:973,“resp_pkts”:19,“resp_ip_bytes”:22419,“community_id”:“1:FEAOBSU+mBA7TJlKI8FANpOagdY=”}
Suricata’s alert output:
{“timestamp”:“2020-03-06T11:59:50.386789+0000”,“flow_id”:327732767925959,“in_iface”:“vtnet3”,“event_type”:“alert”,“src_ip”:“172.22.59.4”,“src_port”:54692,“dest_ip”:“149.28.239.174”,“dest_port”:80,“proto”:“TCP”,“community_id”:“1:2sl7O0BzoS6G46kkIoRtxQMKWi4=”,“tx_id”:0,“alert”:{“action”:“allowed”,“gid”:1,“signature_id”:2013028,“rev”:4,“signature”:“ET POLICY curl User-Agent Outbound”,“category”:“Attempted Information Leak”,“severity”:2,“metadata”:{“updated_at”:[“2011_06_14”],“created_at”:[“2011_06_14”]}},“http”:{“hostname”:“www.ipdeny.com”,“url”:“/ipblocks/data/aggregated/ir-aggregated.zone”,“http_user_agent”:“curl/7.61.1”,“http_content_type”:“text/plain”,“http_method”:“GET”,“protocol”:“HTTP/1.1”,“status”:200,“length”:1134},“app_proto”:“http”,“flow”:{“pkts_toserver”:4,“pkts_toclient”:4,“bytes_toserver”:349,“bytes_toclient”:3052,“start”:“2020-03-06T11:59:50.173767+0000”},“payload”:“R0VUIC9pcGJsb2Nrcy9kYXRhL2FnZ3JlZ2F0ZWQvaXItYWdncmVnYXRlZC56b25lIEhUVFAvMS4xDQpIb3N0OiB3d3cuaXBkZW55LmNvbQ0KVXNlci1BZ2VudDogY3VybC83LjYxLjENCkFjY2VwdDogKi8qDQoNCg==”,“stream”:1}
As you can see here, community_id is different for the same session while timestamp is the same (well, now I see there’s a little millisecond variation).
But can that be the problem? Or am I making a configuration error? Or is it a bug?
Suricata is release 5.0.2